Have you ever put off a task till ”tomorrow” only to find that an
unscheduled event takes its place and then you miss the deadline?
Sometimes it’s easy to recovery but other times it not only makes an
impact on you, but on others.
Unfortunately, these issues happen not only in our personal lives, but in
businesses, as well.
Foresight is a virtue, to be sure. We all have heard our mothers telling
us to ”wear clean underwear without holes in case you are in an
accident.” The Boy and Girl Scouts have preached to always ”be
prepared”.
And yet, many times we just aren’t prepared.
Why?
Because it takes a conscience effort, as well as time, to plan in advance
for these type of events. In business, they are known as continuity plans
or disaster plans. Both federal agencies, as well as industry, have
identified methods and guidelines to prepare for unforeseen events. For
example, there is the National Response Plan (NRP) and the National
Incident Management System (NIMS). The NIMS encompasses the principles of
the Incident Command System (ICS), a nationally recognized incident
management system. There also is the Disaster Recovery Institute
International (DRII), which provides continuity and disaster recovery
concepts and principals.
Even with these regulations and guidance, Continutiy of Operations Plans
(COOP) are still not being viewed with great importance– although they
need to be.
For example, the terrorist attack on Sept. 11, 2001 proved that there is
significant oversight in contingency planning. Backup IT plans are not
disaster recovery plans. Getting employees quickly back to work and
performing enterprise functions after a disaster can mean the difference
between enterprise survival or failure.
”Two out of five businesses that are struck by a disaster will cease
operations within five years,” according to industry analyst firm
Gartner Inc., of Stamford, Conn.
So, how do you manage a disaster or a disruption?
In today’s uncertain environment, one of the ways to protect your
critical enterprise functions and information is through development and
maintenance of an enterprise continuity plan. No longer can we assume
that if IT has a back up plan, we are secure and safe.
One misconception is that the IT systems are the business functions.
This is a false, and often fatale, conception. IT systems support the
enterprise functions. Enterprise functions depend on IT systems to
complete the tasks associated with the function or mission of the
business. Therefore, enterprises require a continuity plan. An Enterprise
Continuity Plan (ECP) encompasses more than the information technology
(IT) — it includes the enterprise functions, processes, people and
assets.
Continuity of Operations Planning (COOP) processes and documents have
been developed for many years, focusing solely on the IT level and
failing to recognize the importance of the functionality level of an
enterprise. A good COOP process should provide an enterprise
infrastructure with reasonable methods to prevent, respond, resume,
recover, and restore services at the enterprise functionality level
should events occur which prevent or disrupt normal operations.
A basic COOP should include a business impact analysis, a concise plan
that identifies backup and recovery strategies, an implementation plan to
ensure the backup data site is operational, the personnel site has been
identified and the appropriate agreements are in place. The COOP also
needs to be tested at least yearly. And, no, testing does not include
those actual events when a COOP goes into effect.
In addition, COOP exercises and maintenance also should be addressed in
the overall plan. Testing and exercising the plan can be accomplished
through various methods. A desktop exercise is where personnel review the
plan and identify any weaknesses. Another method is a walkthrough,
whereby a panel gets together and ”walks through” the plan to identify
weaknesses.
The most complete method is the simulation, though it requires
resources. A simulation tests the COOP completely. Simply put, a disaster
is simulated and the plan is put to the test. Only the minimum number of
people should know that a simulation will take place, otherwise the
results will be false.
The plan is a living document, meaning that it should be updated
regularly to meet its objectives. There are many issues which would cause
a COOP to require an update. Any results or lessons learned from testing
will require an update to the COOP. New systems or business processes
will need to be added to the COOP.
Only by keeping the COOP up to date, can it be effective.
This type of approach provides an overall plan that will mitigate risk by
providing the ability to continue critical enterprise operations in the
event of a contingency and cultivates a risk management culture focusing
on continuance, not just recovery.
Contingency plans are important to us all — not only in our private
lives, but in our professional lives. Without a plan, chaos will become
the only thing you have going when disaster strikes. Wouldn’t you rather
know where you want to be and how to get there than leave it up to
chance?
The only way to accomplish that is to have a solid and tested COOP. And,
of course, wearing clean underwear.